Page 2 of 4

Re: STREAMING!!!!!!! *READ*

Posted: Thu Sep 20, 2012 5:04 pm
by arris69
nobody wrote:...

IMHO, mobile sends something using the public session key. After that "authentication" everything should work.
To find out what it sends, we should reverse the android app.
yes, thats someone needs to do :-)
Another chance is that they just exchange public keys.
That would be even better because we could generate an aes128 key locally and use the public key as the answer to the TV aes128 key.
So we could decrypt what the tv sends to us at a later time using the private key we have.
but in this sequences tv not send any crypted data to phone just the phone to tv....

also if you send StartCloneView request to tv there is another "keyexchange" (tcp.port eq 9999) and if it's not done then you get the NOTOK_InvalidDevice

Re: STREAMING!!!!!!! *READ*

Posted: Thu Sep 27, 2012 10:35 am
by arris69
so, little progress status:

phone gets pubkey1 from tv (dunno for what)
phone gets pubkey2 from tv and sends data back, crypted for tvs privatekey2 (data seems to be md5sum from some shit, differs on every request)
phone requests AES128KEY, tv send pubkey3 and phone send again (some md5sum from other unknown generated data) crypted answer (crypted for privatekey3) back to tv.
this 3. key seems to be auth. for remote access to smarthub, then tv sends xml with names and icon urls from widgets to phone.

....

Re: STREAMING!!!!!!! *READ*

Posted: Wed Jan 23, 2013 11:39 pm
by easy2011
here a lib of e serie

Re: STREAMING!!!!!!! *READ*

Posted: Thu Jan 31, 2013 11:36 pm
by E3V3A
If you have the original APK for that app it would be easy to reverse it, unless they have used Java obfuscation. (Which is why it is better with an early as possible application versions, since they might have not obfuscated it.)

Re: STREAMING!!!!!!! *READ*

Posted: Wed Feb 06, 2013 2:50 am
by dajojo
key exchange on port 9999 probably DRM key
login exchange would be something like : tv sends key, phone uses key to answer, tv checks if acces if not then have to give acces first and hold connection, tv sends next connection/ssl key, phone connects and show contents
java obfuscation is not a problem. the over 100 layers samsung uses in this apk is..

Re: STREAMING!!!!!!! *READ*

Posted: Sat Feb 09, 2013 11:06 am
by arris69
dajojo wrote:key exchange on port 9999 probably DRM key
yes smthg. like this. but if you not pass this excahnge tv not turn on the video stream...
also interesting that the tv not announce all arguments for the upnp-action StartCloneView.
login exchange would be something like : tv sends key, phone uses key to answer, tv checks if acces if not then have to give acces first and hold connection, tv sends next connection/ssl key, phone connects and show contents
yes, maybe we should tell samsung devs how it has to work :-)
java obfuscation is not a problem. the over 100 layers samsung uses in this apk is..
the thing is that some crypto stuff is done over openssl (not a problem to get the data with custom openssl with data dumping patch).
there is also some data crypted over own samsung crypto-functions (also no problem to rebuild the apk so it dumps the data)
but dunno where this f...g port 9999 is done :lol:

Re: STREAMING!!!!!!! *READ*

Posted: Sat Feb 09, 2013 7:36 pm
by dajojo
arris69 wrote:
dajojo wrote:key exchange on port 9999 probably DRM key
yes smthg. like this. but if you not pass this excahnge tv not turn on the video stream...
also interesting that the tv not announce all arguments for the upnp-action StartCloneView.
login exchange would be something like : tv sends key, phone uses key to answer, tv checks if acces if not then have to give acces first and hold connection, tv sends next connection/ssl key, phone connects and show contents
yes, maybe we should tell samsung devs how it has to work :-)
java obfuscation is not a problem. the over 100 layers samsung uses in this apk is..
the thing is that some crypto stuff is done over openssl (not a problem to get the data with custom openssl with data dumping patch).
there is also some data crypted over own samsung crypto-functions (also no problem to rebuild the apk so it dumps the data)
but dunno where this f...g port 9999 is done :lol:
tv doesnt announce nothing but itself yes
think its to save room on emmc chip
once cloneview started the stream stays active but has DRM encryption on it. DRM key is provided by tv and works like DRM should.
i think ssl can be disabled on tv with root. just set it to http instead of https.
openssl is full of holes so that is a good thing for us hehe
well since it in 9000 range it presumably zeus server which control something

Re: STREAMING!!!!!!! *READ*

Posted: Sat Feb 09, 2013 9:17 pm
by arris69
dajojo wrote:..
tv doesnt announce nothing but itself yes
i mean upnp action StartCloneView, tv announced it with parameterlist:

Code: Select all

 <action>
                        <name>StartCloneView</name>
                        <argumentList>
                                <argument>
                                        <name>Result</name>
                                        <direction>out</direction>
                                        <relatedStateVariable>A_ARG_TYPE_Result</relatedStateVariable>
                                </argument>
                                <argument>
                                        <name>ForcedFlag</name>
                                        <direction>in</direction>
                                        <relatedStateVariable>A_ARG_TYPE_ForcedFlag</relatedStateVariable>
                                </argument>
                                <argument>
                                        <name>CloneViewURL</name>
                                        <direction>out</direction>
                                        <relatedStateVariable>A_ARG_TYPE_URL</relatedStateVariable>
                                </argument>
                        </argumentList>
                </action>
but fact is it needs also the argument DRMType (direction = in)
think its to save room on emmc chip
once cloneview started the stream stays active but has DRM encryption on it. DRM key is provided by tv and works like DRM should.
i think ssl can be disabled on tv with root. just set it to http instead of https.
the stream isn't over https its an encrypted pts, yes if you have root you can patch exeDSP that the stream not sould be encrypted but the problem ist the same -> first you have to turn it on from outside...
openssl is full of holes so that is a good thing for us hehe
well since it in 9000 range it presumably zeus server which control something
its more like hdmi handshake... (just guessed)

Re: STREAMING!!!!!!! *READ*

Posted: Sun Feb 10, 2013 2:28 am
by dajojo
try this version, its old but works on other tabs then samsungs which helps us along the way.
https://www.dropbox.com/sh/ku95c2vaa3nm ... _1.0.4.apk
samsung s3 phone emulates s2 in build prop before executing program. maybe this got something to do with it as it add some line for samsung mediaplayer.
the app is speaking dnla xml to the tv and vice versa but remote uses port 55000, when selecting on tv the tv and in android app hdmi it sends some code over 9999 but nothing on port 55000. i.e. zap tv channel higher in app and tv goes channel up, but no traffic on 55000.
i guess it needs confirmation it is a compatibel samsung device before it start stream and before connect to running stream.
stream is mpeg with pts timestamp and drm ?
edit: now that i think of it more.. and u mention hdmi handshake.. how bout anynet+ ?
so that would require device name parsing and some line negotiation anynet style. it also needs some authentication.
in latest smarthub on my es8000 i can set now remote acces which keeps it in "on" state all the time so it says and it enabled the function of remote scheduler in the android app. tv authenticates by name given by app to the tv, in fact i have 2 apps on same pc that have different name and authentication in allowed devices. the streaming however needs more input as in device parameters i.e. it needs to know if it samsung device and it seems using some anynet? features for the sound/video remotecontrol

Re: STREAMING!!!!!!! *READ*

Posted: Sun Feb 10, 2013 11:28 am
by arris69
dajojo wrote:try this version, its old but works on other tabs then samsungs which helps us along the way.
https://www.dropbox.com/sh/ku95c2vaa3nm ... _1.0.4.apk
allready checked all versions, only one what works in my enviroment is 3.2.0
samsung s3 phone emulates s2 in build prop before executing program. maybe this got something to do with it as it add some line for samsung mediaplayer.
yes, there is a check in the app. (somewhere in com.samsung.remoteTV)
the app is speaking dnla xml to the tv and vice versa but remote uses port 55000, when selecting on tv the tv and in android app hdmi it sends some code over 9999 but nothing on port 55000. i.e. zap tv channel higher in app and tv goes channel up, but no traffic on 55000.
you can change channels over upnp too, then traffic goes to port 7676 (but never really played around wit it...)

Code: Select all

DeviceName	string(10)	UE46ES8080
Dp	
array(1)RemoteControlReceiver	
array(3)Name	string(46)	urn:samsung.com:device:RemoteControlReceiver:1
Type	string(46)	urn:samsung.com:device:RemoteControlReceiver:1
Location	string(31)	http://192.168.1.50:7676/smp_2_
Sp	
array(1)MultiScreenService	
array(4)Name	string(44)	urn:samsung.com:serviceId:MultiScreenService
Type	string(44)	urn:samsung.com:service:MultiScreenService:1
Location	string(31)	http://192.168.1.50:7676/smp_2_
Actions	
array(1)SendKeyCode	
array(3)KeyCode	
array(2)direction	string(2)	in
type	string(18)	A_ARG_TYPE_KeyCode
in_params	
array(2)0	
array(3)0	string(7)	KeyCode
1	int	64
2	NULL
1	
array(3)0	string(14)	KeyDescription
1	int	64
2	NULL
KeyDescription	
array(2)direction	string(2)	in
type	string(25)	A_ARG_TYPE_KeyDescription
i guess it needs confirmation it is a compatibel samsung device before it start stream and before connect to running stream.
stream is mpeg with pts timestamp and drm ?
mplayer detected it as mpeg stream, so guess its similair to encrypted sat-stream. (need to check, maybe i have some dumps somewhere...)
edit: now that i think of it more.. and u mention hdmi handshake.. how bout anynet+ ?
dunno, absolute no real plan about this stuff on port 9999, but the 1. datapack from phone to tv is alway the same, maybe some certificate.
so that would require device name parsing and some line negotiation anynet style. it also needs some authentication.
in latest smarthub on my es8000 i can set now remote acces which keeps it in "on" state all the time so it says and it enabled the function of remote scheduler in the android app. tv authenticates by name given by app to the tv, in fact i have 2 apps on same pc that have different name and authentication in allowed devices. the streaming however needs more input as in device parameters i.e. it needs to know if it samsung device and it seems using some anynet? features for the sound/video remotecontrol